From fabbd8f940f34f87e4c31b4bf648aeb476371071 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 15 Feb 2024 14:04:46 +0100
Subject: [PATCH] Bug 36102: Use Koha::Session from C4::InstallAuth

Signed-off-by: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
---
 C4/InstallAuth.pm                             | 26 ++++++++++++++-----
 .../prog/en/modules/installer/auth.tt         |  1 +
 2 files changed, 20 insertions(+), 7 deletions(-)

diff --git a/C4/InstallAuth.pm b/C4/InstallAuth.pm
index 56dd8e3260..9a92b3837e 100644
--- a/C4/InstallAuth.pm
+++ b/C4/InstallAuth.pm
@@ -27,6 +27,8 @@ use C4::Context;
 use C4::Output qw( output_html_with_http_headers );
 use C4::Templates;
 
+use Koha::Session;
+
 our (@ISA, @EXPORT_OK);
 BEGIN {
     @ISA    = qw(Exporter);
@@ -117,6 +119,17 @@ sub get_template_and_user {
         $in->{'type'}
     );
 
+    my $session = Koha::Session->get_session( { sessionID => $sessionID, storage_method => 'file' } );
+
+    # We have just logged in
+    # If we are not coming from the login form we empty the credential to reject the access
+    if ( !$session && $user ) {
+        if ( $in->{query}->param('op') ne 'cud-login' ) {
+            $in->{query}->param('userid', '');
+            $in->{query}->param('password', '');
+        }
+    }
+
     #     use Data::Dumper;warn "utilisateur $user cookie : ".Dumper($cookie);
 
     my $borrowernumber;
@@ -233,7 +246,6 @@ sub checkauth {
     my $dbh = C4::Context->dbh();
     my $template_name;
     $template_name = "installer/auth.tt";
-    my $sessdir = File::Spec->catdir( C4::Context::temporary_directory, 'cgisess_' . C4::Context->config('database') ); # same construction as in C4/Auth
 
     # state variables
     my $loggedin = 0;
@@ -242,9 +254,7 @@ sub checkauth {
     my $logout = $query->param('logout.x');
     if ( $sessionID = $query->cookie("CGISESSID") ) {
         C4::Context->_new_userenv($sessionID);
-        my $session =
-          CGI::Session->new( "driver:File", $sessionID,
-            { Directory => $sessdir } );
+        my $session = Koha::Session->get_session( { sessionID => $sessionID, storage_method => 'file' } );
         if ( $session->param('cardnumber') ) {
             C4::Context->set_userenv(
                 $session->param('number'),
@@ -283,8 +293,7 @@ sub checkauth {
         }
     }
     unless ($userid) {
-        my $session =
-          CGI::Session->new( "driver:File", undef, { Directory => $sessdir } );
+        my $session = Koha::Session->get_session( { sessionID => $sessionID, storage_method => 'file' } );
         $sessionID = $session->id;
         $userid    = $query->param('userid');
         C4::Context->_new_userenv($sessionID);
@@ -388,7 +397,10 @@ sub checkauth {
                 $template->param( 'invalid_username_or_password' => $info{'invalid_username_or_password'});
     }
 
-    $template->param( \%info );
+    $template->param(
+        %info,
+        sessionID => $sessionID,
+    );
     $cookie = $query->cookie(
         -name    => 'CGISESSID',
         -value   => $sessionID,
diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tt
index 6a30ec6d81..d99550848b 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/installer/auth.tt
@@ -53,6 +53,7 @@
 
                     <form action="[% url | html %]" method="post" id="mainform">
                         [% INCLUDE 'csrf-token.inc' %]
+                        <input type="hidden" name="op" value="cud-login" />
                         [% FOREACH INPUT IN INPUTS %]
                             <input type="hidden" name="[% INPUT.name | html %]" value="[% INPUT.value | html %]" />
                         [% END %]
-- 
2.39.5